Blaming a "data retention glitch," Microsoft has agreed to pay the Federal Trade Commission $20 million to settle allegations that the company's Xbox gaming system has illegally collected personal information from children signing up to use Xbox -- even when the company was aware that users were under the age of 13.
The complaint is certainly worth a read for any company who owns and operates online properties that require registration and have users under 13. After you've read the complaint, it is time to analyze your data collection processes in light of this important complaint and settlement under the Children's Online Privacy Protection Act (COPPA).
Here's why. The FTC/Microsoft settlement reminds us that COPPA covers both websites and online services that are "directed to children" and those with "actual knowledge" they are collecting data or dealing with data from kids under 13. Whether your company actually collected the information or you receive the data knowing that a third party collected it from a child under 13, the obligation of COPPA compliance is yours. Under the proposed settlement order, that includes the video game publishers who will be informed by Microsoft when a user is under 13.
As you are evaluating your potential COPPA exposure, also remember that "personal information" under COPPA is much (much) more than a name or name and address. It includes a myriad of other information concerning the child or the parents of the child collected online from the child, including information referred to proposed settlement such as avatars, biometrics, vital signs, and health data.
In addition to notifying video game publishers to whom Microsoft has disclosed personal information in violation of COPPA, the FTC order requires Microsoft to implement new business practices to increase privacy protections for Xbox users under 13. Among other things, according to the FTC Business Blog post, if parents haven’t created a separate account for their kids, Microsoft must let them know that a separate account will provide additional privacy protections for their child by default. The company also must maintain a system to delete, within two weeks from the collection date, all personal information collected from kids for the purpose of getting parental consent unless the parent grants consent within that time. In addition, Microsoft must honor COPPA’s date deletion requirements by getting rid of all other personal data collected from children after it’s no longer needed.
In case you've forgotten, Microsoft’s Minecraft — a game franchise popular with children where users create 3D worlds with Lego-like blocks — has 141 million active players worldwide, according to Statista.
The final paragraph in the FTC Business Blog post written by senior FTC attorney Lesley Fair: “Default,” dear Brutus, is not in our stars, but in ourselves. A key takeaway is the importance of designing default settings with COPPA compliance in mind. Walk through your processes from the perspective of parents and kids.
Where does the FTC say Microsoft went wrong? [It] started with the initial sign-up procedure. To play, users needed a Microsoft account. At the outset, Microsoft required them to provide their email address, their first and last name, and their date of birth. Until late 2021, Microsoft also asked for their phone number. What’s more, Microsoft required them to consent to the company’s service agreement, which until 2019 included a pre-checked box allowing Microsoft to send them promotional messages and to share user data with advertisers. The sequence of events is important here because Microsoft asked for all that information even from users who had just told the company they were under 13. Only after gathering that raft of personal data from children did Microsoft get parents involved in the process.